In some sites, blocking just one fingerprint technique just break the whole site pages, so useless to even try in the first place.
Scripblockers are meant to block scripts in low-reputation/suspicious sites.
i beg to differ on this particular point, if you visit a malicious page, the first attack is just a malicious script injecting code in your browser/memory or upload a malicious file in your system.
Modern Threat Actors don't waste time and resources studying each visitor system unless the in rare case they target a particular individual or small group. Today, they work by batch to maximize revenues and minimize time and resource cost.
Hackers won't try anymore to break through your router and firewall doing the good'ol historical ping and portscan with Netcat and Nmap or whatever technique it was in the 80-90's.
Data Entry/Spear Phishing, Social Engineering, malicious link redirection, weaponized emails; those are modern hacker attack vectors and way faster and easier.
Fingerprinting isnt a method widely used by threat actors but mostly by marketers.
It is assumed that users know how to use withelists and in the case of Scriptsafe also the temporary disabling of the extension.
2 operations also for me who don't like to use Chrome with a unique simplicity.
With regard to the next answer, just one example:
Gather initial system fingerprint
Once the malware has created the named mutex, it attempts to gather an initial fingerprint of the system to identify the system. This information is then sent to the operating C2 to fingerprint the system to decide which commands to send next.
Sysinfo gathered by the RAT:
- Computer Name.
- Current User Account Name.
- Windows operating system (OS) version in the form of a textual representation:
- XP SP2
- OS bitness i.e.
- 64 bits
- 32 bits
- Directory & File Check: A unique feature of the RAT is that it looks for the presence of a specific directory and all files residing inside it. The directory path (folderpath) is hardcoded in the RAT: C:\ProgramData\System\Dump.
If this directory is present on the infected system then the RAT sends the keyword "Yes" to its C2 and "No" otherwise.
- Another hard coded value from the implant "5.2" is sent to the C2. (May indicate version number of the implant)
The sysinfo gathered by the implant is then put together as a single string with the character ">" used as a delimiter.
(_variable_ = used for depicting a variable value)
DESKTOP-SCOTTPC>jon>Windows 10>sgrmbrokr>64 bits>Yes>5.2>
Although the implant gathers the system information initially, it only sends this information out if it receives a specific command code from the C2. The implant also performs anti-infection checks before it fully activates itself on the endpoint.
Another interesting feature in the implant is that after it gathers the preliminary system information for fingerprinting, it performs a series of checks against the user and computer name it has obtained to identify an endpoint or user account it must avoid its execution on/for. If any of the values from its blacklist match the current user/computer name, it simply stops its execution.